From f76b314f1f04929035ed12e7d597311a3345a51d Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 10 Feb 2021 17:02:33 +0100
Subject: [PATCH] Adjust web+ scheme security considerations to account for FTP
 removal

Also, network scheme is now reduced to HTTP(S) scheme.

Helps with #5375, but form submission issue remains.

See https://github.com/whatwg/fetch/pull/1166 for context.
---
 source | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/source b/source
index 8ae7c01efb2..6770ccf7fee 100644
--- a/source
+++ b/source
@@ -2495,7 +2495,6 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn><code>about:blank</code></dfn></li>
      <li>An <dfn data-x-href="https://fetch.spec.whatwg.org/#http-scheme">HTTP(S) scheme</dfn></li>
      <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#local-scheme">local scheme</dfn></li>
-     <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#network-scheme">network scheme</dfn></li>
      <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#fetch-scheme">fetch scheme</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#http-cors-protocol">CORS protocol</dfn></li>
      <li><dfn data-x="default-user-agent-value" data-x-href="https://fetch.spec.whatwg.org/#default-user-agent-value">default `<code>User-Agent</code>` value</dfn></li>
@@ -9252,7 +9251,7 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
    context</span> is null.</li>
 
    <li>A <code>Document</code> whose <span data-x="concept-document-url">URL</span>'s <span
-   data-x="concept-url-scheme">scheme</span> is not a <span>network scheme</span>.</li>
+   data-x="concept-url-scheme">scheme</span> is not an <span>HTTP(S) scheme</span>.</li>
 
   </ul>
 
@@ -117970,16 +117969,13 @@ interface <dfn>MimeType</dfn> {
    <dd>Scheme-specific.</dd>
    <dt>Interoperability considerations:</dt>
    <dd>The scheme is expected to be used in the context of web applications.</dd>
-<!--ADD-TOPIC:Security-->
    <dt>Security considerations:</dt>
    <dd>
     Any web page is able to register a handler for all "<code data-x="">web+</code>" schemes. As
-    such, these schemes must not be used for features intended to be core platform features (e.g.
-    network transfer protocols like HTTP or FTP). Similarly, such schemes must not store
-    confidential information in their URLs, such as usernames, passwords, personal information, or
-    confidential project names.
+    such, these schemes must not be used for features intended to be core platform features (e.g.,
+    HTTP). Similarly, such schemes must not store confidential information in their URLs, such as
+    usernames, passwords, personal information, or confidential project names.
    </dd>
-<!--REMOVE-TOPIC:Security-->
    <dt>Contact:</dt>
    <dd>Ian Hickson &lt;ian@hixie.ch></dd>
    <dt>Change controller:</dt>